Cost-Effective Cybersecurity Strategies

The basic components of an attack, such as how infections occur from websites, advertisements, social networks, online reviews, messaging and connected peripherals such as USB devices and mobile phones.

The warning signs and how to recognize malicious websites, emails and links embedded in conversations. The ability to recognize, pause, consider the warning signs and proceed after considering the benefit of the task you are attempting.

How to recognize fraudulent conversations over any messaging medium along with the warning signs of urgency, deception and uncorroborated requests.

How Internet of Things devices such as smart-home devices, surveillance cameras and appliances can be leveraged against the user and the organization if not properly secured, and how to properly secure them via simple mechanisms such as changing the default passwords and not allowing more access than necessary.

The importance of end user accountability of maintaining the endpoint, application updates, password management, data export / import and physical protection, as well as how the user’s home and personal devices can be used as a launch-point to attack the organization if they fail to maintain the same vigilance after-hours on those devices.

Executive and Financial Administration Training

Executives are specifically targeted by direct phishing campaigns as they have the broadest privileges to financial and private data corporate assets. Most successful executive phishing attacks start with a compromised email account of an executive. An attacker gains privileged access to an email account and begins a dialogue with a financial executive. Since the email is from a colleague, a significant level of trust has been established. We have all received the email from the Russian prince who only needs access to our back account to store a significant amount of money until he can get a VISA for travel. The majority of us recognize the ridiculousness of this type of request, however, a financial demand form a trusted executive is treated quite differently. It usually involves a bank transfer of less the $250,000 and is a stopgap for a short-term crisis. In a recent attack, a compromised email from the CEO of the company requested a payment be made to a reseller by the CFO. The email stated that the reseller was integral to a $4 million deal and had been short-changed on the previous quarter’s royalty payments. This payment deficit needed to be reconciled before they would agree to discounts associated with the larger deal.

Corporate phishing attacks almost always have a sense of urgency and involve reconciliation with an existing account towards a lager deal or thwart embarrassment by an executive. Remember, the attacker has years of corporate email records to both fabricate and corroborate extortion.

Executive training should focus on six distinct areas.

Executive extortion starts with compromised credentials of a communication system such as email, chats, or collaborative environments.

Executive extortion starts with compromised credentials of a communication system such as email, chats, or collaborative environments.

Executives must be the most diligent practitioners of password maintenance policies.

Messages that contain both a sense of urgency and monetary request should be suspect.

Messages that ask for the identity and responsibility of colleagues should be suspect.

Informal requests can never circumvent the financial procedures or accountabilities of an institution.

Training Combined With Realistic Drills

Training should start with every new employee and be refreshed on a yearly basis to keep up to date of the latest phishing attacks. Both companies and technology exist that send realistic phishing attacks to employees to “test” the awareness of both the executives and end-users. For example, an email (mycompanyname.hrupdate.com) might be sent to all employees to refresh their personal data through the new HR portal. A form very similar to the company’s website will be presented if they click on the link in the email that requests their username and password. Employees who click on the link and entering personal identification data will be flagged by the decoy and requested to attend a security-training program. These applications may also have an automated test that presents differing scenarios to employees that should be identified as suspicious or insecure. Both training and validated results of the training through continual testing of the user base are essential to effectively thwarting phishing attacks.

IBM Systems Magazine is a trademark of International Business Machines Corporation. The editorial content of IBM Systems Magazine is placed on this website by MSP TechMedia under license from International Business Machines Corporation.